Opened 7 years ago

Closed 7 years ago

#3866 closed defect (fixed)

Server crashing sometimes from large values in twkb encoding

Reported by: nicklas Owned by: nicklas
Priority: medium Milestone: PostGIS 2.3.4
Component: postgis Version: 2.3.x
Keywords: Cc:


The attached geometry writes beyond the buffer.

In some cases it crashes the server.

It is caused from a large value that encodes to a variable integer of 10 bytes instead of the expected max 8 bytes. Most of the time this doesn't do any harm. But if the preceding point leaves exactly 8 bytes left in the buffer, the space check will not reallocate and writing 9 or 10 bytes will cause writing beyond the buffer.

Attachments (1)

test.sql (174.6 KB ) - added by nicklas 7 years ago.

Download all attachments as: .zip

Change History (7)

by nicklas, 7 years ago

Attachment: test.sql added

comment:1 by nicklas, 7 years ago

increased the expected max size of variable integer to 16 bytes instead of 8 bytes.

That should always be enough since the value gets truncated by casting to int64_t before encoding to variable integer

fixed in trunk r15817

comment:2 by nicklas, 7 years ago

fixed in 2.2 and 2.3 with r15836 and r15837

comment:3 by nicklas, 7 years ago

Resolution: fixed
Status: assignedclosed

comment:4 by robe, 7 years ago

Resolution: fixed
Status: closedreopened

need to put this in NEWS for 2.2 and 2.3. For 2.4 not necessary.

comment:5 by pramsey, 7 years ago

In 15838:

TWKB news item (References #3866)

comment:6 by pramsey, 7 years ago

Resolution: fixed
Status: reopenedclosed

In 15839:

TWKB news item (Closes #3866)

Note: See TracTickets for help on using tickets.